Backdoor.Netbus.444051

Discovered on: February 05, 2001

Last Updated on: April 15, 2002 04:46:46 PM

This is a variant of the well-known backdoor Trojan, Netbus. This variant contains a registry file that modifies the Windows registry. This was done because NetBus Pro version 2.1 has been redesigned so that, by default, it is not hidden. This allows NetBus Pro version 2.1 to be used as a legitimate remote-control tool. When this variant is run, it modifies the Windows registry so that NetBus runs in stealth mode.

NOTE: Netbus Pro version 2.1 is not, in and of itself, a viral program. Norton AntiVirus therefore, does not detect the Netbus executable, but only the "package" that contains both the Backdoor.Netbus.444051registry file and the Netbus executable.

Type: Trojan Horse

Infection Length: 444,051bytes

protection

Virus Definitions (Intelligent Updater)

February 06, 2001

Wild

Threat Metrics

Wild: Low	Damage: Low	Distribution: Low

Damage

Payload:
- Compromises security settings: Opens up a port. This will allow anyone full access to the computer.

Netbus Pro version 2,1 is a remote-control tool. Netbus Pro version 2,1 has been redesigned such that it no longer runs stealth by default. After installing it, one must specifically allow it to run stealth. However, Backdoor.Netbus.444051 comes as a package containing a Windows registry file, a picture, and the Netbus executable.

When executed, this package does the following:

Creates and runs the registry file Extrac16.reg from the \Windows folder. This file contains settings for Netbus so that it will run stealth.
Inserts the Netbus Pro executable file in the Temp folder, normally \Windows\Temp. The name of the file can change, but it will always start with Pkg and end with .exe. For example, the name could be PKGd7g8.exe or Pkg22c4.exe.
Creates a "Netbus Server Pro" value in the Windows registry at:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

This ensures execution on reboot.
Executes the Netbus Pro executable. Due to the fact that the information from the registry file has been applied prior to Netbus being executed, no activity appears on the screen.

To further hide its malicious actions, this backdoor Trojan attempts to trick you into believing it is a picture. When the file has been executed, after performing all the malicious actions, this backdoor Trojan will display a picture.

By default, this variant of Netbus will open port 20034.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

To remove this Trojan, you need to:

Scan for virus and then delete files detected as infected with this Trojan.
Remove the value added to the RunServices registry key.
Delete the file added by the Trojan.

See the sections that follow for detailed instructions.

To scan for viruses:

Run LiveUpdate to make sure that you have the most recent virus definitions.
Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
If any files are detected as Backdoor.Netbus.444051, then click Delete.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the following subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
In the right pane, locate the Netbus Server Pro value. In the second column, just to the right of this value, note the path and file name that it refers to. Write this down.
Select the Netbus Server Pro value, press Delete, and then click Yes to confirm.
Click Registry and click Exit to save the changes and close the Registry Editor.
Restart the computer.

To delete the file:

Start Windows Explorer, and browse to the location that you wrote down in step 4 of the previous section.
Locate and select this file, press Delete, and then click Yes to confirm.

Write-up by: Neal Hindocha